In recent years, networks with software defined networking (SDN) as the fundamental framework are booming. The software defined networking separates routing control from data forwarding in the traditional IP network to achieve centralized control and distributed forwarding, simplifies management and configuration of the network by providing a software programmable manner, but also expands attack surfaces of network distributed denial of service (DDoS) attacks.
Currently, DDoS Attacks on the control plane of the software defined networking are mostly considered when the DDoS Attacks in the software defined networking are to be controlled. However, previous researches have shown that DDoS Attacks on the data plane of the software defined networking are easier to threaten the software defined networking, and such DDoS Attacks may intentionally avoid most of DDoS detections on the software defined networking due to its stealthiness.
When the DDoS Attacks on the data plane of the software defined networking are to be simulated, a related algorithm suggests stealthy DDoS Attacks based on flow table entry timeout, wherein the algorithm periodically increases the number of zombie hosts by using an incremental mode till a flow table of a target switch approaches to a saturation condition, and each zombie host periodically transmits an attack packet at an attack interval which is smaller than the flow table entry timeout, so that flow entries of all attack packets are ensured to constantly exist in the flow table of the target switch, and then legitimate flow entries cannot be installed and processed. However, in the incremental mode, the attack speed of each zombie host cannot quickly reach a minimum attack speed (at the minimum attack speed, the flow entries of the target switch keep the saturation condition which approaches to the total size of the flow table).
The existing algorithm for detecting DDoS Attacks on the data plane of the software defined networking suggests: periodically acquiring flow entries from the target switch, checking the acquired flow entries, and determining whether a stealthy attack flow exists according to checking results. When such an algorithm is configured on a controller, a large amount of traffic loads will be added to a secure channel between the control plane and the data plane of the software defined networking; and when the algorithm is configured on each target switch, the logic centralized control idea of the software defined networking is incompatible, and it is complex that upgrading and networks of similar detecting algorithms need to be performed by mitigation measures (such as achievement of a blacklist and the like) according to the detecting results.